[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

US8990934B2 - Automated protection against computer exploits - Google Patents

Automated protection against computer exploits Download PDF

Info

Publication number
US8990934B2
US8990934B2 US13/648,863 US201213648863A US8990934B2 US 8990934 B2 US8990934 B2 US 8990934B2 US 201213648863 A US201213648863 A US 201213648863A US 8990934 B2 US8990934 B2 US 8990934B2
Authority
US
United States
Prior art keywords
memory
exception
response
execution
malicious code
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active, expires
Application number
US13/648,863
Other versions
US20130227680A1 (en
Inventor
Mikhail A. Pavlyushchik
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Kaspersky Lab AO
Original Assignee
Kaspersky Lab AO
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Kaspersky Lab AO filed Critical Kaspersky Lab AO
Assigned to KASPERSKY LAB ZAO reassignment KASPERSKY LAB ZAO ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: PAVLYUSHCHIK, MIKHAIL A.
Priority to EP13175197.6A priority Critical patent/EP2720170B1/en
Publication of US20130227680A1 publication Critical patent/US20130227680A1/en
Application granted granted Critical
Publication of US8990934B2 publication Critical patent/US8990934B2/en
Assigned to AO Kaspersky Lab reassignment AO Kaspersky Lab CHANGE OF NAME (SEE DOCUMENT FOR DETAILS). Assignors: KASPERSKY LAB ZAO
Active legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/78Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data

Definitions

  • the invention relates generally to information processing security and, more particularly, to protection against computer exploits based on stopping and checking executable code before its execution.
  • DEP Data Execution Prevention
  • a related technology has been proposed for detecting possible malicious code that gets unpacked at run-time, such as the approach disclosed in U.S. Pat. No. 8,104,089.
  • This approach injects a packing manager into a process, or installs it in the operating system's kernel.
  • the packing manager uses memory page write and execute permissions to track when a program attempts to first write to, and then execute code from, a memory page.
  • This approach uses the operations of the unpacker to restore the packed code from its packed state, but ensures that the code cannot be subsequently executed without being checked for malware.
  • This technique deals particularly with packers, but it does not address the diversity of operations that are used by exploits, which can introduce malicious code in a variety of ways, not just through unpacking of the code.
  • ASLR Address Space Layout Randomization
  • One aspect of the invention is directed to a method for protecting against exploits in a computer system utilizing a memory access control arrangement in which at least write and execute privileges are enforced for allocated portions of memory.
  • a memory access control arrangement in which at least write and execute privileges are enforced for allocated portions of memory.
  • the method in response to a request by a process thread running in the computer system for allocation of a first portion of memory, an association of the process thread and the first portion of memory is recorded.
  • the memory access control arrangement is adjusted to establish a limited access regime in which one of the write and execute privileges is disabled.
  • the method monitors the memory access control arrangement for any exceptions occurring due to attempted writing or execution in violation of the limited access regime.
  • an exception type of the first exception is determined.
  • the process thread associated with the first portion of memory is looked up in the record, the process thread is analyzed for a presence of malicious code.
  • the exception type being determined as an execute exception
  • the content of the first portion of memory is analyzed for a presence of malicious code.
  • execution of the malicious code is prevented.
  • a related aspect is directed to a protection system for protecting against exploits.
  • a malware analysis module is configured to detect malicious code of an exploit.
  • An interceptor module is configured to detect a request by a process thread running in the computer system for allocation of a first portion of memory.
  • the interceptor module is further configured to record an association of the process thread and the first portion of memory; adjust memory access control arrangement to establish a limited access regime in which one of the write and execute privileges is disabled; and monitor the memory access control arrangement for any exceptions occurring due to attempted writing or execution in violation of the limited access regime.
  • an exception type of the first exception is determined by the interceptor module.
  • the process thread associated with the first portion of memory is looked up, and analysis by the malware analysis module is initiated to look for a presence of malicious code in the process thread.
  • the malware analysis module is initiated to look for a presence of malicious code in the first portion of memory.
  • the malware analysis module is configured to prevent execution of the malicious code in response to detection of a presence of malicious code as a result of the analysis.
  • FIG. 1 is a diagram illustrating an exemplary memory operation of a computer system in which an executable file of a program is loaded from a disk, or a non-volatile data storage device, into the memory.
  • FIG. 2 is a diagram illustrating a system according to one embodiment of the invention for detection of an exploit program code which uses vulnerabilities in software.
  • FIG. 3 illustrates a method of operation of an interceptor module of the system of FIG. 2 when the process threads request allocation of a memory page according to one embodiment.
  • FIG. 4 is a flow diagram illustrating a method for tracking the memory-related operations using the interceptor module of the system of FIG. 2 according to one embodiment.
  • FIG. 5 is a flow diagram illustrating a method for detection of a potentially hazardous executable code before its execution according to one embodiment.
  • FIG. 6 is a diagram illustrating a page table for use with certain embodiments of the invention.
  • FIG. 7 is a block diagram illustrating an example of a general purpose computer system on which embodiments of the invention can be implemented.
  • aspects of the present invention can be implemented as part of a computer system.
  • the computer system can be one physical machine, or can be distributed among multiple physical machines, such as by role or function, or by process thread in the case of a cloud computing distributed model.
  • aspects of the invention can be configured to run in virtual machines that in turn are executed on one or more physical machines. It will be understood by persons of skill in the art that features of the invention may be realized by a variety of different suitable machine implementations.
  • FIG. 1 is a diagram illustrating an exemplary memory operation of a computer system in which an executable file of a program is loaded from a disk, or a non-volatile data storage device, into the memory.
  • Each executable file has associated with it various segments, or sections, such as: code (.text), data (.data), non-initialized data (.bss), and memory space dynamically allocated during loading in the form of a heap and a stack.
  • Each segment has its own purpose; for example, the .text code segment contains directly executable instructions.
  • each segment is allocated a certain memory space (memory pages in case of paging memory-management scheme).
  • the code segment When instructions are executed, the code segment uses an EIP register, which contains an absolute address of the next instruction to be executed. Usually, the instruction pointer does not go beyond the code segment, but this can happen if an exploit is running, which can change the return address of the executing function in case of buffer overflow to a different piece of code that performs a malicious function.
  • FIG. 2 is a diagram illustrating a system according to one embodiment of the invention for detection of a program code which uses vulnerabilities in software.
  • An application 210 such as, for example, Microsoft Internet Explorer or Mozilla Thunderbird, launched in the operating system (OS) 240 , creates a number of threads 220 that are executed on the computing hardware and managed by the OS. During execution, one of the threads 220 requests that the operating system 240 to allocate a memory page 250 .
  • Each allocated page may be assigned various attributes—it can be read (R), data can be written (W) into it, and code written in it can be executed (X).
  • the code of the exploit must first be written in the memory at a certain address, then executed.
  • the allocated memory page must have both, a W attribute, and an X attribute, in order to permit writing of the exploit code into it, and then to permit execution of that code.
  • the exploit code would be implemented during the execution of one of the threads 220 .
  • an analysis of both, memory-related operations, and the threads themselves, are performed in order to successfully detect exploits.
  • an interceptor module 230 is used to track the operations with memory pages by intercepting requests that are addressed to the memory. For example, during the processing of a request by one of the threads 220 to allocate a new memory page, the interceptor module 230 writes the page's address, attributes, and the Thread Identifier (TID) of the thread 220 into the memory operations database 260 in response to allocation of a page in the virtual memory 250 of the Operating System 240 .
  • TID Thread Identifier
  • module means a real-world device, component, or arrangement of components implemented using hardware, such as by an application specific integrated circuit (ASIC) or field-programmable gate array (FPGA), for example, or as a combination of hardware and software, such as by a microprocessor system and a set of instructions to implement the module's functionality, which (while being executed) transform the microprocessor system into a special-purpose device.
  • a module can also be implemented as a combination of the two, with certain functions facilitated by hardware alone, and other functions facilitated by a combination of hardware and software.
  • a portion, and in some cases, all, of a module can be executed on the processor(s) of one or more general purpose computers (such as the one described in greater detail below) that execute an operating system, system programs, and application programs, while also implementing the module using multitasking, multithreading, distributed (e.g., cloud) processing, or other such techniques.
  • each module can be realized in a variety of suitable configurations, and should not be limited to any particular implementation exemplified herein.
  • other items of information can be included in memory operations database 260 .
  • a portion of the Page Table Entry (PTE) of the relevant page is included in the memory operation database 260 instead of the page's address.
  • the database 260 is written to only if the memory page has W and X attributes.
  • information on all memory page operations is stored in the database 260 .
  • a process identifier (PID) 210 and the records in the database 260 related to all processes launched in the Operating System 240 are additionally stored in the database 260 .
  • the system illustrated in FIG. 2 includes an antivirus module 270 , which reads the memory operation database 260 in order to check the condition of the virtual memory 250 of the process 210 , with the purpose of tracking the changes of the memory pages' attributes, which is discussed below in more detail.
  • FIG. 3 illustrates a method of operation of the interceptor module 230 when the process threads request allocation of a memory page according to one embodiment.
  • the request is intercepted by the interceptor module 230 , after which the memory page is allocated.
  • the interceptor module 230 determines the page's attributes and, if the page has W and X attributes, then at stage 306 , the page's address is saved in memory operations database 260 .
  • the presence of the W and X attributes, together, means that an exploit can be written in the memory page, and can then be executed.
  • the interceptor module 230 at stage 308 removes the X attribute, which will not allow the code written in this page to be executed.
  • FIG. 4 is a flow diagram illustrating a method for tracking the memory-related operations using the interceptor module 230 according to one embodiment.
  • stage 401 there is a detection of an exception caused by one of the threads 220 trying to perform prohibited actions with the data saved at a certain address in the Memory 250 —for example, to execute or write the data, while the attributes of the relevant memory page are not set to permit the action (i.e. the execute (X) and the write (W) attributes do not have a set Yes value.
  • the EXCEPTION_ACCESS_VIOLATION is an example of this kind of exception.
  • stage 402 there is a lookup of the page's address through a request to the memory operation database 260 , where the information about the page with the preset W and X attributes was saved at stage 306 . If the page is found, the algorithm advances to stage 404 . If the exception was associated with an unknown page, a standard exception processor will be called, which is provided by the operating system 240 (stage 420 ).
  • This information is transferred to the antivirus module 270 , which determines the response to the request by assessing the risk (stages 408 and 409 , respectively).
  • the risk assessment can be performed based on applying one or more known risk assessment solutions associated with a certain application or a launched process. In one of the embodiments, the risk assessment can be performed by checking the memory page for the presence of known exploit signatures. In related embodiments, the risk assessment can be done using heuristic analysis or emulation methods.
  • a risk of a given process is assessed by assigning a special rating to the risk.
  • the rating itself can be composed of two parts, the static and the dynamic.
  • the statistics are computed based on the statistical features of the file being executed—size, location, imported libraries, compression, etc.
  • the dynamics are based on the emulation results and depend on which operations were performed with the services, the file system, the registry, the network, etc.
  • Antivirus module 270 determines that writing or execution is to be permitted, it changes the page flags to the following configurations:
  • FIG. 5 is a flow diagram illustrating an example of a method for detection of a potentially hazardous executable code before its execution according to one embodiment.
  • a potentially hazardous executable code in this case can include an exploit code.
  • stage 502 analyzes the exception information.
  • the exception's cause is determined (i.e., whether it was an attempt to execute the code or an attempt at writing).
  • stage 506 analyzes the executable code written in the memory page.
  • stage 508 analyzes the thread 220 which is trying to write the executable code into the memory page.
  • the analysis of the executable code can be performed using known signature or heuristic methods, which allow for the detection both, known exploits, and their modifications. Even if it is not possible to identify the executable code as an exploit code, the operations with the memory page attributes allow reliable prevention of its execution. If, at stage 510 , it was concluded that signs of an exploit are detected, i.e. the analysis at stage 506 or at stage 508 provide positive results, then, at stage 512 , the operation with the memory requested by the process thread of the application 210 will be terminated.
  • FIG. 6 is a diagram illustrating an exemplary page table.
  • the Registry CR3 stores an address in the physical memory for the first page in the page directory.
  • Each record in the page directory entry (PDE) refers to the relevant page table, each record in which the page table entry (PTE) further refers directly to the memory page.
  • a number of flags is directly connected with the PTE (i.e. with the page); some of them are responsible for indicating the access permissions (read (R) or write (W)).
  • a special cache is used in the CPU, which is a translation lookaside buffer (TLB).
  • Such cache is designed to accelerate the transmission of the virtual memory address to the physical memory address.
  • the TLB itself should generally be synchronized with the page table, such that each process has its own address space. With multiple operations in the memory, the TLB is completely or partially flushed; such operations are resource-intensive in terms of buffer cleanup (since a response from a buffer takes only a few cycles, while a memory request will take several thousand cycles).
  • aspects of the invention are implemented as a modification of the memory dispatcher of the operating system 240 or as a part of a hypervisor.
  • events are created in response to switching of memory page attributes, and are used by the interceptor module 230 to trigger operation of the protective techniques discussed above.
  • a modification of the PTE can be made for the purpose of supporting additional fields used by aspects of the invention (for example, a bit indicating a change of the W and X attributes).
  • FIG. 7 is a block diagram illustrating an example of a general purpose computer system on which embodiments of the invention can be implemented.
  • Personal Computer or Server 20 includes a Central processor 21 , a System Memory 22 and a System Bus 23 , which contains various system components, including a memory connected with a Central processor 21 .
  • the System Bus 23 is realized as any bus structure known at the relevant technical level, containing, in turn, a bus memory or a bus memory controller, a peripheral bus and a local bus, which is able to interact with any other bus architecture.
  • the System Memory has a Read-Only Memory (ROM) 24 and a Random Access Memory (RAM) 25 .
  • the Basic Input/Output System (BIOS) 26 contains basic procedures ensuring transfer of information between the elements of a Personal Computer 20 , for example, during the operating system boot using ROM 24 .
  • the Personal Computer 20 has a Hard Drive 27 for data reading and writing, a Magnetic Disk Drive 28 for reading and writing on removable Magnetic Disks 29 , and an Optical Drive 30 for reading and writing on removable Optical Disks 31 , such as CD-ROM, DVD-ROM and other optical media.
  • the Hard Drive 27 , the Magnetic Drive 28 , and the Optical Drive 30 are connected with a System Bus 23 through a Hard Drive Interface 32 , a Magnetic Drive Interface 33 and an Optical Drive Interface 34 , respectively.
  • the drives and the corresponding computer information media represent energy-independent means for storage of computer instructions, data structures, program modules and other data on the Personal Computer 20 .
  • the system depicted includes a Hard Drive 27 , a removable Magnetic Drive 29 and a removable Optical Drive 31 , but it should be understood that it is possible to use other types of Computer Information Media 56 , capable of storing data in a computer-readable form (solid state drives, flash memory cards, digital disks, random-access memory (RAM), etc.), connected to the System Bus 23 through a Controller 55 .
  • Computer Information Media 56 capable of storing data in a computer-readable form (solid state drives, flash memory cards, digital disks, random-access memory (RAM), etc.), connected to the System Bus 23 through a Controller 55 .
  • the Computer 20 has a File System 36 , where the recorded Operating System 35 is stored, as well as additional Program Applications 37 , other Program Modules 38 and Program Data 39 .
  • the user can input commands and information into the Personal Computer 20 using input devices (Keyboard 40 , Mouse 42 ).
  • Other input devices can also be used, such as: a microphone, a joystick, a game console, a scanner, etc.
  • Such input devices are usually connected to the Computer System 20 through a Serial Port 46 , which, in turn, is connected to a system bus, but they can also be connected in a different way—for example, using a parallel port, a game port or a Universal Serial Bus (USB).
  • USB Universal Serial Bus
  • the Monitor 47 or another type of display device is also connected to a System Bus 23 through an interface, such as a Video Adapter 48 .
  • the personal computer can be equipped with other peripheral output devices (not shown), such as speakers, a printer, etc.
  • the Personal Computer 20 is able to work in a network environment; in this case, it uses a network connection with one or several other Remote Computers 49 .
  • the Remote Computer(s) 49 is (are) similar personal computers or servers, which have most or all of the above elements, noted earlier when describing the substance of the Personal Computer 20 shown in FIG. 7 .
  • the computing network can also have other devices, such as routers, network stations, peering devices or other network nodes.
  • Network connections can constitute a Local Area Network (LAN) 50 and a World Area Network (WAN). Such networks are used in corporate computer networks or in corporate intranets, and usually have access to the Internet.
  • LAN or WAN networks the Personal Computer 20 is connected to the Local Area Network 50 through a Network Adapter or a Network Interface 51 .
  • the Personal Computer 20 can use a Modem 54 or other means for connection to a world area network, such as the Internet.
  • the Modem 54 which is an internal or an external device, is connected to the System Bus 23 through a Serial Port 46 . It should be clarified that these network connections are only examples and do not necessarily reflect an exact network configuration, i.e. in reality there are other means of establishing a connection using technical means of communication between computers.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

Protection of a computer system against exploits. A computer system has a memory access control arrangement in which at least write and execute privileges are enforced for allocated portions of memory. An association of the process thread and the first portion of memory is recorded. A limited access regime in which one of the write and execute privileges is disabled, is established, and is monitored for any exceptions occurring due to attempted writing or execution in violation thereof. In response to the exception being determined as a write exception, the associated process thread is looked up, and analyzed for a presence of malicious code. In response to the exception type being determined as an execute exception, the first portion of memory is analyzed for a presence of malicious code. In response to detection of a presence of malicious code, execution of the malicious code is prevented.

Description

CLAIM TO PRIORITY
This Application claims the benefit of Russian Federation Patent Application No. 2012106465 filed Feb. 24, 2012, the disclosure of which is incorporated by reference herein.
FIELD OF THE INVENTION
The invention relates generally to information processing security and, more particularly, to protection against computer exploits based on stopping and checking executable code before its execution.
BACKGROUND OF THE INVENTION
Computer viruses and other malicious programs which are spread through the Internet and local networks and through portable media continue to present an ongoing challenge to the public. Perhaps the most prominent of these are the so-called exploits, which can take the form of code fragments or commands that take advantage of vulnerabilities in software. Such vulnerabilities are caused by mistakes made when programming or designing applications. With the growth of the number and complexity of applications, the number of vulnerabilities inevitably grows as well; writers of malicious programs actively take advantage of this, already using not only single exploits but whole sets of them, designed for multiple programs and for their various versions. Exploits can be designed for specific operating systems, browsers, websites, etc.
In order to resolve the issue of countering the exploits, software manufacturers constantly produce updates of their applications in order to cover for known vulnerabilities, while manufacturers of operating systems and anti-virus companies use various methods for fighting known exploits.
One of the anti-exploit methods involves using a security function named DEP (Data Execution Prevention), which marks certain parts of memory as being intended to hold only data, which the NX bit enabled processor then understands as non-executable. This technology is being successfully used for protection from buffer overflow attacks, when the application writes data beyond the buffer allocated in the memory.
A related technology has been proposed for detecting possible malicious code that gets unpacked at run-time, such as the approach disclosed in U.S. Pat. No. 8,104,089. This approach injects a packing manager into a process, or installs it in the operating system's kernel. The packing manager uses memory page write and execute permissions to track when a program attempts to first write to, and then execute code from, a memory page. This approach uses the operations of the unpacker to restore the packed code from its packed state, but ensures that the code cannot be subsequently executed without being checked for malware. This technique deals particularly with packers, but it does not address the diversity of operations that are used by exploits, which can introduce malicious code in a variety of ways, not just through unpacking of the code.
Another technology, named ASLR (Address Space Layout Randomization), randomly arranging the positions of key data areas, usually including the base of the executable and position of libraries, heap, and stack in the address space of the process; this significantly complicates the exploitation of some vulnerabilities.
It should be pointed out that the above-mentioned technologies allow to successfully fight most of today's exploits, but in a number of cases, it is not possible to track the launch of the latest exploit variants, as exploit creators always look for newer ways to bypass the existing protection technologies. A practical and efficient solution is needed to address these challenges.
SUMMARY OF THE INVENTION
One aspect of the invention is directed to a method for protecting against exploits in a computer system utilizing a memory access control arrangement in which at least write and execute privileges are enforced for allocated portions of memory. According to the method, in response to a request by a process thread running in the computer system for allocation of a first portion of memory, an association of the process thread and the first portion of memory is recorded. The memory access control arrangement is adjusted to establish a limited access regime in which one of the write and execute privileges is disabled. The method monitors the memory access control arrangement for any exceptions occurring due to attempted writing or execution in violation of the limited access regime. In response to an occurrence of a first exception corresponding to the first portion of the memory, an exception type of the first exception is determined. In response to the exception type being determined as a write exception, the process thread associated with the first portion of memory is looked up in the record, the process thread is analyzed for a presence of malicious code. In response to the exception type being determined as an execute exception, the content of the first portion of memory is analyzed for a presence of malicious code. In response to detection of a presence of malicious code as a result of the analyzing, execution of the malicious code is prevented.
A related aspect is directed to a protection system for protecting against exploits. In the system, a malware analysis module is configured to detect malicious code of an exploit. An interceptor module is configured to detect a request by a process thread running in the computer system for allocation of a first portion of memory. The interceptor module is further configured to record an association of the process thread and the first portion of memory; adjust memory access control arrangement to establish a limited access regime in which one of the write and execute privileges is disabled; and monitor the memory access control arrangement for any exceptions occurring due to attempted writing or execution in violation of the limited access regime. In response to an occurrence of a first exception corresponding to the first portion of the memory, an exception type of the first exception is determined by the interceptor module. In response to the exception type being determined as a write exception, the process thread associated with the first portion of memory is looked up, and analysis by the malware analysis module is initiated to look for a presence of malicious code in the process thread. In response to the exception type being determined as an execute exception, the malware analysis module is initiated to look for a presence of malicious code in the first portion of memory. The malware analysis module is configured to prevent execution of the malicious code in response to detection of a presence of malicious code as a result of the analysis.
BRIEF DESCRIPTION OF THE DRAWINGS
The invention may be more completely understood in consideration of the following detailed description of various embodiments of the invention in connection with the accompanying drawings, in which:
FIG. 1 is a diagram illustrating an exemplary memory operation of a computer system in which an executable file of a program is loaded from a disk, or a non-volatile data storage device, into the memory.
FIG. 2 is a diagram illustrating a system according to one embodiment of the invention for detection of an exploit program code which uses vulnerabilities in software.
FIG. 3 illustrates a method of operation of an interceptor module of the system of FIG. 2 when the process threads request allocation of a memory page according to one embodiment.
FIG. 4 is a flow diagram illustrating a method for tracking the memory-related operations using the interceptor module of the system of FIG. 2 according to one embodiment.
FIG. 5 is a flow diagram illustrating a method for detection of a potentially hazardous executable code before its execution according to one embodiment.
FIG. 6 is a diagram illustrating a page table for use with certain embodiments of the invention.
FIG. 7 is a block diagram illustrating an example of a general purpose computer system on which embodiments of the invention can be implemented.
While the invention is amenable to various modifications and alternative forms, specifics thereof have been shown by way of example in the drawings and will be described in detail. It should be understood, however, that the intention is not to limit the invention to the particular embodiments described. On the contrary, the intention is to cover all modifications, equivalents, and alternatives falling within the spirit and scope of the invention as defined by the appended claims.
DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS
Aspects of the present invention can be implemented as part of a computer system. The computer system can be one physical machine, or can be distributed among multiple physical machines, such as by role or function, or by process thread in the case of a cloud computing distributed model. In various embodiments, aspects of the invention can be configured to run in virtual machines that in turn are executed on one or more physical machines. It will be understood by persons of skill in the art that features of the invention may be realized by a variety of different suitable machine implementations.
FIG. 1 is a diagram illustrating an exemplary memory operation of a computer system in which an executable file of a program is loaded from a disk, or a non-volatile data storage device, into the memory. Each executable file has associated with it various segments, or sections, such as: code (.text), data (.data), non-initialized data (.bss), and memory space dynamically allocated during loading in the form of a heap and a stack. Each segment has its own purpose; for example, the .text code segment contains directly executable instructions. During loading, each segment is allocated a certain memory space (memory pages in case of paging memory-management scheme).
When instructions are executed, the code segment uses an EIP register, which contains an absolute address of the next instruction to be executed. Usually, the instruction pointer does not go beyond the code segment, but this can happen if an exploit is running, which can change the return address of the executing function in case of buffer overflow to a different piece of code that performs a malicious function.
FIG. 2 is a diagram illustrating a system according to one embodiment of the invention for detection of a program code which uses vulnerabilities in software. An application 210, such as, for example, Microsoft Internet Explorer or Mozilla Thunderbird, launched in the operating system (OS) 240, creates a number of threads 220 that are executed on the computing hardware and managed by the OS. During execution, one of the threads 220 requests that the operating system 240 to allocate a memory page 250. Each allocated page may be assigned various attributes—it can be read (R), data can be written (W) into it, and code written in it can be executed (X).
For an exploit to be effective, the code of the exploit must first be written in the memory at a certain address, then executed. Thus, to be usable by the exploit, the allocated memory page must have both, a W attribute, and an X attribute, in order to permit writing of the exploit code into it, and then to permit execution of that code. In this case, the exploit code would be implemented during the execution of one of the threads 220.
According to one aspect of the invention, an analysis of both, memory-related operations, and the threads themselves, are performed in order to successfully detect exploits. In one such embodiment, an interceptor module 230 is used to track the operations with memory pages by intercepting requests that are addressed to the memory. For example, during the processing of a request by one of the threads 220 to allocate a new memory page, the interceptor module 230 writes the page's address, attributes, and the Thread Identifier (TID) of the thread 220 into the memory operations database 260 in response to allocation of a page in the virtual memory 250 of the Operating System 240.
The term “module” as used herein means a real-world device, component, or arrangement of components implemented using hardware, such as by an application specific integrated circuit (ASIC) or field-programmable gate array (FPGA), for example, or as a combination of hardware and software, such as by a microprocessor system and a set of instructions to implement the module's functionality, which (while being executed) transform the microprocessor system into a special-purpose device. A module can also be implemented as a combination of the two, with certain functions facilitated by hardware alone, and other functions facilitated by a combination of hardware and software. In certain implementations, at least a portion, and in some cases, all, of a module can be executed on the processor(s) of one or more general purpose computers (such as the one described in greater detail below) that execute an operating system, system programs, and application programs, while also implementing the module using multitasking, multithreading, distributed (e.g., cloud) processing, or other such techniques. Accordingly, each module can be realized in a variety of suitable configurations, and should not be limited to any particular implementation exemplified herein.
In various embodiments, other items of information can be included in memory operations database 260. In one such embodiment, a portion of the Page Table Entry (PTE) of the relevant page is included in the memory operation database 260 instead of the page's address. In another embodiment, the database 260 is written to only if the memory page has W and X attributes. In another embodiment, information on all memory page operations is stored in the database 260. In yet another embodiment, a process identifier (PID) 210 and the records in the database 260 related to all processes launched in the Operating System 240 are additionally stored in the database 260.
The system illustrated in FIG. 2 includes an antivirus module 270, which reads the memory operation database 260 in order to check the condition of the virtual memory 250 of the process 210, with the purpose of tracking the changes of the memory pages' attributes, which is discussed below in more detail.
FIG. 3 illustrates a method of operation of the interceptor module 230 when the process threads request allocation of a memory page according to one embodiment. At stage 302, in response to a request made by a process thread to allocate a memory page, the request is intercepted by the interceptor module 230, after which the memory page is allocated. At stage 304, the interceptor module 230 determines the page's attributes and, if the page has W and X attributes, then at stage 306, the page's address is saved in memory operations database 260. The presence of the W and X attributes, together, means that an exploit can be written in the memory page, and can then be executed. In order to prevent the execution of the code, the interceptor module 230 at stage 308 removes the X attribute, which will not allow the code written in this page to be executed.
FIG. 4 is a flow diagram illustrating a method for tracking the memory-related operations using the interceptor module 230 according to one embodiment. At stage 401, there is a detection of an exception caused by one of the threads 220 trying to perform prohibited actions with the data saved at a certain address in the Memory 250—for example, to execute or write the data, while the attributes of the relevant memory page are not set to permit the action (i.e. the execute (X) and the write (W) attributes do not have a set Yes value. In the Windows operating system, the EXCEPTION_ACCESS_VIOLATION is an example of this kind of exception.
Then, at stage 402, there is a lookup of the page's address through a request to the memory operation database 260, where the information about the page with the preset W and X attributes was saved at stage 306. If the page is found, the algorithm advances to stage 404. If the exception was associated with an unknown page, a standard exception processor will be called, which is provided by the operating system 240 (stage 420).
At stage 404, a determination is made as to the type of the exception which occurred, namely, for writing or for executing (stages 406 and 407, respectively). This information is transferred to the antivirus module 270, which determines the response to the request by assessing the risk ( stages 408 and 409, respectively). The risk assessment can be performed based on applying one or more known risk assessment solutions associated with a certain application or a launched process. In one of the embodiments, the risk assessment can be performed by checking the memory page for the presence of known exploit signatures. In related embodiments, the risk assessment can be done using heuristic analysis or emulation methods.
In other related embodiments, still other approaches can be used such as, for example, the approach described in U.S. Pat. No. 7,530,106, the disclosure of which is incorporated by reference herein. In this approach, a risk of a given process is assessed by assigning a special rating to the risk. The rating itself can be composed of two parts, the static and the dynamic. The statistics are computed based on the statistical features of the file being executed—size, location, imported libraries, compression, etc. The dynamics are based on the emulation results and depend on which operations were performed with the services, the file system, the registry, the network, etc.
If the Antivirus module 270 determines that writing or execution is to be permitted, it changes the page flags to the following configurations:
W=No, X=Yes, if there was an execution request (stage 414);
W=Yes, X=No, if there was a writing request (stage 416).
This ensures protection from consecutive actions of writing and execution. Each exception is processed in the above described manner, and the information about each such event is saved with the analysis results for further detection of a possible exploit at stage 418. As the memory page continues to be used by a process that writes to, and executes code from, the memory page, the permissions can alternate as:
W=No, X=Yes;
W=Yes, X=No;
W=No, X=Yes
W=Yes, X=No;
etc., with risk assessment occurring at each switch in permissions, until the process is either completed or until malware is detected, resulting in termination of the process.
FIG. 5 is a flow diagram illustrating an example of a method for detection of a potentially hazardous executable code before its execution according to one embodiment. A potentially hazardous executable code in this case can include an exploit code. In the exception processing at stage 418, stage 502 analyzes the exception information. At stage 504, the exception's cause is determined (i.e., whether it was an attempt to execute the code or an attempt at writing).
In response to an attempt to execute the code, stage 506 analyzes the executable code written in the memory page. In response to a writing attempt, stage 508 analyzes the thread 220 which is trying to write the executable code into the memory page. The analysis of the executable code can be performed using known signature or heuristic methods, which allow for the detection both, known exploits, and their modifications. Even if it is not possible to identify the executable code as an exploit code, the operations with the memory page attributes allow reliable prevention of its execution. If, at stage 510, it was concluded that signs of an exploit are detected, i.e. the analysis at stage 506 or at stage 508 provide positive results, then, at stage 512, the operation with the memory requested by the process thread of the application 210 will be terminated. This can mean either the termination of the whole process 210, including all associated threads 220, or the termination of a specific thread 220 through which the execution of the exploit code is being made possible. Otherwise, if there is no evidence found of an exploit at 510, the method loops back to stage 501 to wait for the next exception.
In one embodiment, the execution of an interceptor module 230 is in the form of a driver of the Operating System 240. FIG. 6 is a diagram illustrating an exemplary page table. Usually, such structures have multiple levels. The Registry CR3 stores an address in the physical memory for the first page in the page directory. Each record in the page directory entry (PDE) refers to the relevant page table, each record in which the page table entry (PTE) further refers directly to the memory page. A number of flags is directly connected with the PTE (i.e. with the page); some of them are responsible for indicating the access permissions (read (R) or write (W)). Also, a special cache is used in the CPU, which is a translation lookaside buffer (TLB). Such cache is designed to accelerate the transmission of the virtual memory address to the physical memory address. However, the TLB itself should generally be synchronized with the page table, such that each process has its own address space. With multiple operations in the memory, the TLB is completely or partially flushed; such operations are resource-intensive in terms of buffer cleanup (since a response from a buffer takes only a few cycles, while a memory request will take several thousand cycles).
In other embodiments, aspects of the invention are implemented as a modification of the memory dispatcher of the operating system 240 or as a part of a hypervisor. In a memory manager embodiment, events are created in response to switching of memory page attributes, and are used by the interceptor module 230 to trigger operation of the protective techniques discussed above. Similarly, a modification of the PTE can be made for the purpose of supporting additional fields used by aspects of the invention (for example, a bit indicating a change of the W and X attributes).
FIG. 7 is a block diagram illustrating an example of a general purpose computer system on which embodiments of the invention can be implemented. Personal Computer or Server 20, includes a Central processor 21, a System Memory 22 and a System Bus 23, which contains various system components, including a memory connected with a Central processor 21. The System Bus 23 is realized as any bus structure known at the relevant technical level, containing, in turn, a bus memory or a bus memory controller, a peripheral bus and a local bus, which is able to interact with any other bus architecture. The System Memory has a Read-Only Memory (ROM) 24 and a Random Access Memory (RAM) 25. The Basic Input/Output System (BIOS) 26 contains basic procedures ensuring transfer of information between the elements of a Personal Computer 20, for example, during the operating system boot using ROM 24.
The Personal Computer 20, in turn, has a Hard Drive 27 for data reading and writing, a Magnetic Disk Drive 28 for reading and writing on removable Magnetic Disks 29, and an Optical Drive 30 for reading and writing on removable Optical Disks 31, such as CD-ROM, DVD-ROM and other optical media. The Hard Drive 27, the Magnetic Drive 28, and the Optical Drive 30 are connected with a System Bus 23 through a Hard Drive Interface 32, a Magnetic Drive Interface 33 and an Optical Drive Interface 34, respectively. The drives and the corresponding computer information media represent energy-independent means for storage of computer instructions, data structures, program modules and other data on the Personal Computer 20.
The system depicted includes a Hard Drive 27, a removable Magnetic Drive 29 and a removable Optical Drive 31, but it should be understood that it is possible to use other types of Computer Information Media 56, capable of storing data in a computer-readable form (solid state drives, flash memory cards, digital disks, random-access memory (RAM), etc.), connected to the System Bus 23 through a Controller 55.
The Computer 20 has a File System 36, where the recorded Operating System 35 is stored, as well as additional Program Applications 37, other Program Modules 38 and Program Data 39. The user can input commands and information into the Personal Computer 20 using input devices (Keyboard 40, Mouse 42). Other input devices (not shown) can also be used, such as: a microphone, a joystick, a game console, a scanner, etc. Such input devices are usually connected to the Computer System 20 through a Serial Port 46, which, in turn, is connected to a system bus, but they can also be connected in a different way—for example, using a parallel port, a game port or a Universal Serial Bus (USB). The Monitor 47 or another type of display device is also connected to a System Bus 23 through an interface, such as a Video Adapter 48. In addition to the Monitor 47, the personal computer can be equipped with other peripheral output devices (not shown), such as speakers, a printer, etc.
The Personal Computer 20 is able to work in a network environment; in this case, it uses a network connection with one or several other Remote Computers 49. The Remote Computer(s) 49 is (are) similar personal computers or servers, which have most or all of the above elements, noted earlier when describing the substance of the Personal Computer 20 shown in FIG. 7. The computing network can also have other devices, such as routers, network stations, peering devices or other network nodes.
Network connections can constitute a Local Area Network (LAN) 50 and a World Area Network (WAN). Such networks are used in corporate computer networks or in corporate intranets, and usually have access to the Internet. In LAN or WAN networks, the Personal Computer 20 is connected to the Local Area Network 50 through a Network Adapter or a Network Interface 51. When using networks, the Personal Computer 20 can use a Modem 54 or other means for connection to a world area network, such as the Internet. The Modem 54, which is an internal or an external device, is connected to the System Bus 23 through a Serial Port 46. It should be clarified that these network connections are only examples and do not necessarily reflect an exact network configuration, i.e. in reality there are other means of establishing a connection using technical means of communication between computers.
The embodiments above are intended to be illustrative and not limiting. Additional embodiments are within the claims. In addition, although aspects of the present invention have been described with reference to particular embodiments, those skilled in the art will recognize that changes can be made in form and detail without departing from the scope of the invention, as defined by the claims.
Persons of ordinary skill in the relevant arts will recognize that the invention may comprise fewer features than illustrated in any individual embodiment described above. The embodiments described herein are not meant to be an exhaustive presentation of the ways in which the various features of the invention may be combined. Accordingly, the embodiments are not mutually exclusive combinations of features; rather, the invention may comprise a combination of different individual features selected from different individual embodiments, as will be understood by persons of ordinary skill in the art.
Any incorporation by reference of documents above is limited such that no subject matter is incorporated that is contrary to the explicit disclosure herein. Any incorporation by reference of documents above is further limited such that no claims that are included in the documents are incorporated by reference into the claims of the present Application. The claims of any of the documents are, however, incorporated as part of the disclosure herein, unless specifically excluded. Any incorporation by reference of documents above is yet further limited such that any definitions provided in the documents are not incorporated by reference herein unless expressly included herein.
For purposes of interpreting the claims for the present invention, it is expressly intended that the provisions of Section 112, sixth paragraph of 35 U.S.C. are not to be invoked unless the specific terms “means for” or “step for” are recited in a claim.

Claims (24)

What is claimed is:
1. A method for protecting against exploits in a computer system utilizing a memory access control arrangement in which at least write and execute privileges are enforced for allocated portions of memory, the method comprising:
in response to a request by a process thread running in the computer system for allocation of a first portion of memory:
(a) recording an association of the process thread and the first portion of memory; and
(b) adjusting the memory access control arrangement to establish a limited access regime in which one of the write and execute privileges is disabled;
(c) monitoring the memory access control arrangement for any exceptions occurring due to attempted writing or execution in violation of the limited access regime;
(d) in response to an occurrence of a first exception corresponding to the first portion of the memory:
determining an exception type of the first exception;
performing an initial risk assessment of the process thread and its associated memory page to determine whether the attempted writing or execution is permitted, the initial risk assessment including at least one of: an exploit signature check, heuristic analysis of exploits, emulation analysis of exploits, statistical risk rating analysis;
in response to the initial risk assessment determining that the attempted writing or execution is permitted, performing specialized exception processing wherein:
in response to the exception type being determined as a write exception, the process thread associated with the first portion of memory in the recording is looked up, and the process thread for a presence of malicious code is analyzed;
in response to the exception type being determined as an execute exception, content of the first portion of memory is analyzed for a presence of malicious code;
(e) in response to detection of a presence of malicious code as a result of the specialized exception processing, preventing execution of the malicious code;
(f) in response to a non-detection of any presence of malicious code as a result of the analyzing, permitting the attempted writing or execution and alternating the write and execute privileges to establish a new limited access regime;
(g) monitoring the memory access control arrangement for any exceptions occurring due to attempted writing or execution in violation of the new limited access regime and repeating (a)-(f) to determine the presence of any exploits from continued execution of the process thread.
2. The method of claim 1, further comprising: in response to a non-detection of any presence of malicious code as a result of the analyzing, adjusting the data execution prevention privileges to permit only a privilege corresponding to the determined exception type.
3. The method of claim 1, wherein recording the association of the process thread and the first portion of memory includes creating an entry in a memory operations database.
4. The method of claim 3, wherein the entry in the memory operations database includes a thread identifier of the thread and an address of the first portion of memory.
5. The method of claim 3, wherein the entry in the memory operations database includes a portion of a page table entry corresponding to the first portion of memory.
6. The method of claim 1, wherein recording the association of the process thread and the first portion of memory is performed only in response to a request for allocation of the first portion of memory having both, write privileges, and execution privileges.
7. The method of claim 1, wherein adjusting the data execution prevention privileges to establish a limited access regime includes initially enabling the write privileges while disabling the execute privileges.
8. The method of claim 1, wherein the first portion of memory includes a memory page.
9. The method of claim 1, wherein the analysis of either the contents of the first portion of memory, or the process thread, is initiated in response to a single exception.
10. The method of claim 1, further comprising: in response to the exception type being determined as a write exception, looking up a plurality of process threads that are associated with the first portion of memory in the recording, and analyzing each of the plurality of process threads for a presence of malicious code.
11. The method of claim 1, wherein preventing execution of the malicious code includes termination of the process thread associated with the first portion of memory.
12. In a computer system having a memory access control arrangement configured to enforce at least write and execute privileges for allocated portions of memory, a protection system for protecting against exploits, the system comprising:
a malware analysis module configured to detect malicious code of an exploit; and
an interceptor module configured to detect a request by a process thread running in the computer system for allocation of a first portion of memory, the interceptor module further configured to:
(a) record an association of the process thread and the first portion of memory;
(b) adjust memory access control arrangement to establish a limited access regime in which one of the write and execute privileges is disabled;
(c) monitor the memory access control arrangement for any exceptions occurring due to attempted writing or execution in violation of the limited access regime;
(d) in response to an occurrence of a first exception corresponding to the first portion of the memory:
determine an exception type of the first exception;
perform an initial risk assessment of the process thread and its associated memory page to determine whether the attempted writing or execution is permitted, the initial risk assessment including at least one of: an exploit signature check, heuristic analysis of exploits, emulation analysis of exploits, statistical risk rating analysis;
in response to the initial risk assessment determining that the attempted writing or execution is permitted, perform specialized exception processing wherein:
in response to the exception type being determined as a write exception, the process thread associated with the first portion of memory in the recording is looked up, and the process thread for a presence of malicious code is analyzed;
in response to the exception type being determined as an execute exception, content of the first portion of memory is analyzed for a presence of malicious code;
wherein the malware analysis module is configured to:
(e) in response to detection of a presence of malicious code as a result of the specialized exception processing, prevent execution of the malicious code;
(f) in response to a non-detection of any presence of malicious code as a result of the analyzing, permit the attempted writing or execution and alternating the write and execute privileges to establish a new limited access regime;
(g) monitor the memory access control arrangement for any exceptions occurring due to attempted writing or execution in violation of the new limited access regime and perform (a)-(f) to determine the presence of any exploits from continued execution of the process thread.
13. The system of claim 12, wherein the interceptor module is further configured to adjust the data execution prevention privileges to permit only a privilege corresponding to the determined exception type in response to a non-detection of any presence of malicious code by the malware analysis module.
14. The system of claim 12, wherein the interceptor module is further configured to record the association of the process thread and the first portion of memory as part of an entry in a memory operations database.
15. The system of claim 14, wherein the entry in the memory operations database includes a thread identifier of the thread and an address of the first portion of memory.
16. The system of claim 14, wherein the entry in the memory operations database includes a portion of a page table entry corresponding to the first portion of memory.
17. The system of claim 12, wherein the interceptor module is further configured to record the association of the process thread and the first portion of memory only in response to a request for allocation of the first portion of memory having both, write privileges, and execution privileges.
18. The system of claim 12, wherein the interceptor module is further configured to initially enable the write privileges while disabling the execute privileges in adjusting the data execution prevention privileges to establish a limited access regime.
19. The system of claim 12, wherein the first portion of memory includes a memory page.
20. The system of claim 12, wherein the interceptor module is configured to initiate analysis by the malware analysis module of either the contents of the first portion of memory, or the process thread, in response to a single exception.
21. The system of claim 12, wherein the interceptor module is further configured to look up a plurality of process threads that are associated with the first portion of memory in response to the exception type being determined as a write exception, and causing the malware analysis module to analyze each of the plurality of process threads for a presence of malicious code.
22. The system of claim 12, wherein the interceptor module is part of a driver of an operating system of the computer system.
23. The system of claim 12, wherein the interceptor module is part of a memory dispatcher of an operating system of the computer system.
24. A non-transitory computer-readable storage medium comprising instructions that, when executed in a computer system having a memory access control arrangement in which at least write and execute privileges are enforced for allocated portions of memory, cause the computer system to: protect itself against exploits such that:
in response to a request by a process thread running in the computer system for allocation of a first portion of memory:
(a) an association of the process thread and the first portion of memory is recorded;
(b) memory access control arrangement is adjusted to establish a limited access regime in which one of the write and execute privileges is disabled;
(c) the memory access control arrangement is monitored for any exceptions occurring due to attempted writing or execution in violation of the limited access regime;
(d) in response to an occurrence of a first exception corresponding to the first portion of the memory:
an exception type of the first exception is determined;
an initial risk assessment of the process thread and its associated memory page is performed to determine whether the attempted writing or execution is permitted, the initial risk assessment including at least one of: an exploit signature check, heuristic analysis of exploits, emulation analysis of exploits, statistical risk rating analysis;
in response to the initial risk assessment determining that the attempted writing or execution is permitted, specialized exception processing is performed wherein:
in response to the exception type being determined as a write exception, the process thread associated with the first portion of memory in the recording is looked up, and the process thread for a presence of malicious code is analyzed;
in response to the exception type being determined as an execute exception, content of the first portion of memory I is analyzed for a presence of malicious code;
(e) in response to detection of a presence of malicious code as a result of the specialized exception processing, execution of the malicious code is prevented;
(f) in response to a non-detection of any presence of malicious code as a result of the analyzing, the attempted writing or execution is permitted and the write and execute privileges are alternated to establish a new limited access regime;
(g) the memory access control arrangement is monitored for any exceptions occurring due to attempted writing or execution in violation of the new limited access regime and (a)-(f) are performed to determine the presence of any exploits from continued execution of the process thread.
US13/648,863 2012-02-24 2012-10-10 Automated protection against computer exploits Active 2033-01-14 US8990934B2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
EP13175197.6A EP2720170B1 (en) 2012-10-10 2013-07-04 Automated protection against computer exploits

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
RU2012106465/08A RU2510074C2 (en) 2012-02-24 2012-02-24 System and method of checking executable code before execution thereof
RU2012106465 2012-02-24

Publications (2)

Publication Number Publication Date
US20130227680A1 US20130227680A1 (en) 2013-08-29
US8990934B2 true US8990934B2 (en) 2015-03-24

Family

ID=49004803

Family Applications (1)

Application Number Title Priority Date Filing Date
US13/648,863 Active 2033-01-14 US8990934B2 (en) 2012-02-24 2012-10-10 Automated protection against computer exploits

Country Status (2)

Country Link
US (1) US8990934B2 (en)
RU (1) RU2510074C2 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150058926A1 (en) * 2013-08-23 2015-02-26 International Business Machines Corporation Shared Page Access Control Among Cloud Objects In A Distributed Cloud Environment
US9501649B2 (en) * 2013-03-15 2016-11-22 Symantec Corporation Systems and methods for determining potential impacts of applications on the security of computing systems
US9536088B1 (en) 2015-11-09 2017-01-03 AO Kaspersky Lab System and method for protection of memory in a hypervisor
US11093603B2 (en) * 2015-08-26 2021-08-17 Robotic Research, Llc System and method for protecting software from buffer overruns

Families Citing this family (24)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9715325B1 (en) 2012-06-21 2017-07-25 Open Text Corporation Activity stream based interaction
GB2510641A (en) * 2013-02-12 2014-08-13 F Secure Corp Detecting suspicious code injected into a process if function call return address points to suspicious memory area
US9298911B2 (en) * 2013-03-15 2016-03-29 Intel Corporation Method, apparatus, system, and computer readable medium for providing apparatus security
US9400885B2 (en) 2014-01-10 2016-07-26 Bitdefender IPR Management Ltd. Computer security systems and methods using virtualization exceptions
US9292686B2 (en) * 2014-01-16 2016-03-22 Fireeye, Inc. Micro-virtualization architecture for threat-aware microvisor deployment in a node of a network environment
US9703726B2 (en) 2014-06-24 2017-07-11 Bitdefender IPR Management Ltd. Systems and methods for dynamically protecting a stack from below the operating system
RU2586576C1 (en) * 2014-12-05 2016-06-10 Закрытое акционерное общество "Лаборатория Касперского" Method of accessing procedures of loading driver
US9934380B2 (en) * 2014-12-23 2018-04-03 Mcafee, Llc Execution profiling detection of malicious objects
US9984230B2 (en) 2015-06-26 2018-05-29 Mcafee, Llc Profiling event based exploit detection
US10726127B1 (en) 2015-06-30 2020-07-28 Fireeye, Inc. System and method for protecting a software component running in a virtual machine through virtual interrupts by the virtualization layer
US11113086B1 (en) 2015-06-30 2021-09-07 Fireeye, Inc. Virtual system and method for securing external network connectivity
US10642753B1 (en) 2015-06-30 2020-05-05 Fireeye, Inc. System and method for protecting a software component running in virtual machine using a virtualization layer
US10395029B1 (en) 2015-06-30 2019-08-27 Fireeye, Inc. Virtual system and method with threat protection
US10216927B1 (en) 2015-06-30 2019-02-26 Fireeye, Inc. System and method for protecting memory pages associated with a process using a virtualization layer
US10365937B2 (en) * 2015-07-24 2019-07-30 Red Hat Israel, Ltd. Entropy increase by executable loader
US10033759B1 (en) 2015-09-28 2018-07-24 Fireeye, Inc. System and method of threat detection under hypervisor control
US10447728B1 (en) 2015-12-10 2019-10-15 Fireeye, Inc. Technique for protecting guest processes using a layered virtualization architecture
US10846117B1 (en) 2015-12-10 2020-11-24 Fireeye, Inc. Technique for establishing secure communication between host and guest processes of a virtualization architecture
US10108446B1 (en) 2015-12-11 2018-10-23 Fireeye, Inc. Late load technique for deploying a virtualization layer underneath a running operating system
US10191861B1 (en) 2016-09-06 2019-01-29 Fireeye, Inc. Technique for implementing memory views using a layered virtualization architecture
US10546117B1 (en) * 2016-11-15 2020-01-28 Symantec Corporation Systems and methods for managing security programs
US10445007B1 (en) * 2017-04-19 2019-10-15 Rockwell Collins, Inc. Multi-core optimized warm-start loading approach
US10924505B2 (en) * 2017-08-24 2021-02-16 Red Hat, Inc. Passcode based access-control with randomized limits
US10671725B2 (en) * 2018-03-20 2020-06-02 Didi Research America, Llc Malicious process tracking

Citations (29)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0806725A2 (en) 1996-05-07 1997-11-12 Sun Microsystems, Inc. Method and apparatus for easy insertion of assembler code for optimization
EP0951676A2 (en) 1997-01-08 1999-10-27 Symantec Corporation Polymorphic virus detection module
US20030014667A1 (en) 2001-07-16 2003-01-16 Andrei Kolichtchak Buffer overflow attack detection and suppression
GB2378005A (en) 2001-07-27 2003-01-29 Chien-Tzu Hou Method for Controlling Paged Memory Access Attributes
US6779099B2 (en) 2001-07-20 2004-08-17 Chien-Tzu Hou Operation method for controlling access attributes of a memorized page of a memory unit and its structure
US20070016953A1 (en) 2005-06-30 2007-01-18 Prevx Limited Methods and apparatus for dealing with malware
US20070226797A1 (en) 2006-03-24 2007-09-27 Exploit Prevention Labs, Inc. Software vulnerability exploitation shield
US20080040710A1 (en) 2006-04-05 2008-02-14 Prevx Limited Method, computer program and computer for analysing an executable computer file
US20080177994A1 (en) 2003-01-12 2008-07-24 Yaron Mayer System and method for improving the efficiency, comfort, and/or reliability in Operating Systems, such as for example Windows
WO2008131446A2 (en) 2007-04-23 2008-10-30 Scrutiny, Inc. Computing infrastructure
US7475220B1 (en) 2003-08-18 2009-01-06 Cray Incorporated Buffer overflow detection
US20090055571A1 (en) 2007-08-08 2009-02-26 Dmitriy Budko Forcing registered code into an execution context of guest software
US20090222923A1 (en) * 2005-12-20 2009-09-03 Symbian Software Limited Malicious Software Detection in a Computing Device
US7624373B2 (en) 2005-03-31 2009-11-24 Microsoft Corporation Security mechanism for interpreting scripts in an interpretive environment
US20090307430A1 (en) 2008-06-06 2009-12-10 Vmware, Inc. Sharing and persisting code caches
US20090307431A1 (en) 2008-06-06 2009-12-10 Garst Jr Gerald Blaine Memory management for closures
US7673116B2 (en) 2006-01-17 2010-03-02 Advanced Micro Devices, Inc. Input/output memory management unit that implements memory attributes based on translation data
US20100287414A1 (en) 2009-05-06 2010-11-11 Microsoft Corporation Exception raised notification
US7836504B2 (en) 2005-03-01 2010-11-16 Microsoft Corporation On-access scan of memory for malware
US7886148B2 (en) 2002-12-19 2011-02-08 Massachusetts Institute Of Technology Secure execution of a computer program
US20110047543A1 (en) * 2009-08-21 2011-02-24 Preet Mohinder System and Method for Providing Address Protection in a Virtual Environment
US7971255B1 (en) 2004-07-15 2011-06-28 The Trustees Of Columbia University In The City Of New York Detecting and preventing malcode execution
US7984304B1 (en) 2004-03-02 2011-07-19 Vmware, Inc. Dynamic verification of validity of executable code
US7996904B1 (en) 2007-12-19 2011-08-09 Symantec Corporation Automated unpacking of executables packed by multiple layers of arbitrary packers
US8024798B2 (en) 2005-05-06 2011-09-20 Siemens Aktiengesellschaft Method and apparatus for protecting against buffer overrun attacks
US8074281B2 (en) 2008-01-14 2011-12-06 Microsoft Corporation Malware detection with taint tracking
US8104089B1 (en) 2007-12-31 2012-01-24 Symantec Corporation Tracking memory mapping to prevent packers from evading the scanning of dynamically created code
US20130086299A1 (en) * 2011-10-03 2013-04-04 Cisco Technology, Inc. Security in virtualized computer programs
US20130097355A1 (en) * 2011-10-13 2013-04-18 Mcafee, Inc. System and method for kernel rootkit protection in a hypervisor environment

Patent Citations (30)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0806725A2 (en) 1996-05-07 1997-11-12 Sun Microsystems, Inc. Method and apparatus for easy insertion of assembler code for optimization
EP0951676A2 (en) 1997-01-08 1999-10-27 Symantec Corporation Polymorphic virus detection module
US20030014667A1 (en) 2001-07-16 2003-01-16 Andrei Kolichtchak Buffer overflow attack detection and suppression
US6779099B2 (en) 2001-07-20 2004-08-17 Chien-Tzu Hou Operation method for controlling access attributes of a memorized page of a memory unit and its structure
GB2378005A (en) 2001-07-27 2003-01-29 Chien-Tzu Hou Method for Controlling Paged Memory Access Attributes
US7886148B2 (en) 2002-12-19 2011-02-08 Massachusetts Institute Of Technology Secure execution of a computer program
US20080177994A1 (en) 2003-01-12 2008-07-24 Yaron Mayer System and method for improving the efficiency, comfort, and/or reliability in Operating Systems, such as for example Windows
US7475220B1 (en) 2003-08-18 2009-01-06 Cray Incorporated Buffer overflow detection
US7984304B1 (en) 2004-03-02 2011-07-19 Vmware, Inc. Dynamic verification of validity of executable code
US7971255B1 (en) 2004-07-15 2011-06-28 The Trustees Of Columbia University In The City Of New York Detecting and preventing malcode execution
US7836504B2 (en) 2005-03-01 2010-11-16 Microsoft Corporation On-access scan of memory for malware
US7624373B2 (en) 2005-03-31 2009-11-24 Microsoft Corporation Security mechanism for interpreting scripts in an interpretive environment
US8024798B2 (en) 2005-05-06 2011-09-20 Siemens Aktiengesellschaft Method and apparatus for protecting against buffer overrun attacks
US20070016953A1 (en) 2005-06-30 2007-01-18 Prevx Limited Methods and apparatus for dealing with malware
US20090222923A1 (en) * 2005-12-20 2009-09-03 Symbian Software Limited Malicious Software Detection in a Computing Device
US7673116B2 (en) 2006-01-17 2010-03-02 Advanced Micro Devices, Inc. Input/output memory management unit that implements memory attributes based on translation data
US20070226797A1 (en) 2006-03-24 2007-09-27 Exploit Prevention Labs, Inc. Software vulnerability exploitation shield
RU2417429C2 (en) 2006-03-24 2011-04-27 ЭйВиДжи ТЕКНОЛОДЖИЗ СиУай ЛИМИТЕД Protection from exploitation of software vulnerability
US20080040710A1 (en) 2006-04-05 2008-02-14 Prevx Limited Method, computer program and computer for analysing an executable computer file
WO2008131446A2 (en) 2007-04-23 2008-10-30 Scrutiny, Inc. Computing infrastructure
US20090055571A1 (en) 2007-08-08 2009-02-26 Dmitriy Budko Forcing registered code into an execution context of guest software
US7996904B1 (en) 2007-12-19 2011-08-09 Symantec Corporation Automated unpacking of executables packed by multiple layers of arbitrary packers
US8104089B1 (en) 2007-12-31 2012-01-24 Symantec Corporation Tracking memory mapping to prevent packers from evading the scanning of dynamically created code
US8074281B2 (en) 2008-01-14 2011-12-06 Microsoft Corporation Malware detection with taint tracking
US20090307431A1 (en) 2008-06-06 2009-12-10 Garst Jr Gerald Blaine Memory management for closures
US20090307430A1 (en) 2008-06-06 2009-12-10 Vmware, Inc. Sharing and persisting code caches
US20100287414A1 (en) 2009-05-06 2010-11-11 Microsoft Corporation Exception raised notification
US20110047543A1 (en) * 2009-08-21 2011-02-24 Preet Mohinder System and Method for Providing Address Protection in a Virtual Environment
US20130086299A1 (en) * 2011-10-03 2013-04-04 Cisco Technology, Inc. Security in virtualized computer programs
US20130097355A1 (en) * 2011-10-13 2013-04-18 Mcafee, Inc. System and method for kernel rootkit protection in a hypervisor environment

Non-Patent Citations (13)

* Cited by examiner, † Cited by third party
Title
European Search Report for European Application No. EP13175197 dated Dec. 4, 2013.
Executable compression Wikipedia. http://en.wikipedia.org/w/index.php?title=Executable-compression&oldid=510286153 Sep. 27, 2012.
Executable compression Wikipedia. http://en.wikipedia.org/w/index.php?title=Executable—compression&oldid=510286153 Sep. 27, 2012.
Exploit Wikipedia. http://en.wikipedia.org/w/index.php?title=Exploit-(computer-security)&oldid=513843931 Sep. 27, 2012.
Exploit Wikipedia. http://en.wikipedia.org/w/index.php?title=Exploit—(computer—security)&oldid=513843931 Sep. 27, 2012.
Kumar, Applying User-Mode Memeory Scanning on Windows NT, 2008, Retrieved from the Internet , pp. 1-8 as printed. *
Kumar, Applying User-Mode Memeory Scanning on Windows NT, 2008, Retrieved from the Internet <URL: http://sites.google.com/site/ericuday/EricUdayKumar-VB2008.pdf>, pp. 1-8 as printed. *
Maaser et al. A concept for Monitoring Self-transforming code using memorypage access control management, Oct. 2011, Retrieved from the Internet , pp. 1-7 as printed. *
Maaser et al. A concept for Monitoring Self-transforming code using memorypage access control management, Oct. 2011, Retrieved from the Internet <URL: ieeexplore.ieee.org/xpls/abs—all.jsp?arnumber=6095942>, pp. 1-7 as printed. *
Marignoni et al., Omniunpack, 2007, Retrieved from the Internet , pp. 1-10 as printed. *
Marignoni et al., Omniunpack, 2007, Retrieved from the Internet <URL: ieeexplore.ieee.org/xpls/abs—all.jsp?arnumber=4413009>, pp. 1-10 as printed. *
Russian Search Report for Russian Application No. 2012106465/08(009793) dated Feb. 24, 2012.
W^X Wikipedia. http://en.wikipedia.org/w/index.php?title=W%5EX&oldid=511430930 Sep. 27, 2012.

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9501649B2 (en) * 2013-03-15 2016-11-22 Symantec Corporation Systems and methods for determining potential impacts of applications on the security of computing systems
US20150058926A1 (en) * 2013-08-23 2015-02-26 International Business Machines Corporation Shared Page Access Control Among Cloud Objects In A Distributed Cloud Environment
US11093603B2 (en) * 2015-08-26 2021-08-17 Robotic Research, Llc System and method for protecting software from buffer overruns
US9536088B1 (en) 2015-11-09 2017-01-03 AO Kaspersky Lab System and method for protection of memory in a hypervisor
EP3166037A1 (en) 2015-11-09 2017-05-10 AO Kaspersky Lab System and method of secure execution of code in hypervisor mode
US10162964B2 (en) 2015-11-09 2018-12-25 AO Kaspersky Lab System and method for protection of memory pages using a hypervisor
US11269996B2 (en) 2015-11-09 2022-03-08 AO Kaspersky Lab System and method for protecting memory pages

Also Published As

Publication number Publication date
US20130227680A1 (en) 2013-08-29
RU2012106465A (en) 2013-08-27
RU2510074C2 (en) 2014-03-20

Similar Documents

Publication Publication Date Title
US8990934B2 (en) Automated protection against computer exploits
US11841966B2 (en) Inhibiting memory disclosure attacks using destructive code reads
KR101946982B1 (en) Process Evaluation for Malware Detection in Virtual Machines
KR102297133B1 (en) Computer security systems and methods using asynchronous introspection exceptions
KR102189296B1 (en) Event filtering for virtual machine security applications
Gu et al. Process implanting: A new active introspection framework for virtualization
US7603713B1 (en) Method for accelerating hardware emulator used for malware detection and analysis
US9037873B2 (en) Method and system for preventing tampering with software agent in a virtual machine
JP6411494B2 (en) Page fault injection in virtual machines
US9424427B1 (en) Anti-rootkit systems and methods
US7251735B2 (en) Buffer overflow protection and prevention
US8495741B1 (en) Remediating malware infections through obfuscation
WO2015199568A1 (en) Systems and methods for dynamically protecting a stack from below the operating system
EP3825883B1 (en) Hypervisor-based interception of memory accesses
EP2720170B1 (en) Automated protection against computer exploits
Kittel et al. Code validation for modern os kernels
Chubachi et al. Hypervisor-based prevention of persistent rootkits
US9342694B2 (en) Security method and apparatus
Parida et al. PageDumper: a mechanism to collect page table manipulation information at run-time
Hizver et al. Cloud-based application whitelisting
RU2585978C2 (en) Method of invoking system functions in conditions of use of agents for protecting operating system kernel
Suzaki et al. Kernel memory protection by an insertable hypervisor which has VM introspection and stealth breakpoints
Kuzuno et al. KMO: kernel memory observer to identify memory corruption by secret inspection mechanism
Wen et al. Towards thwarting data leakage with memory page access interception
Grover et al. Rkrd: Runtime kernel rootkit detection

Legal Events

Date Code Title Description
AS Assignment

Owner name: KASPERSKY LAB ZAO, RUSSIAN FEDERATION

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:PAVLYUSHCHIK, MIKHAIL A.;REEL/FRAME:029106/0786

Effective date: 20121008

STCF Information on status: patent grant

Free format text: PATENTED CASE

AS Assignment

Owner name: AO KASPERSKY LAB, RUSSIAN FEDERATION

Free format text: CHANGE OF NAME;ASSIGNOR:KASPERSKY LAB ZAO;REEL/FRAME:036786/0655

Effective date: 20150625

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1551); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 4

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 8TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1552); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 8